The Council, a regulator for healthcare professionals in the UK, admitted to the mistake, which saw confidential personal information and evidence from two vulnerable children lost. The data was unencrypted, according to the ICO.

ICO calls the midwife

DVDs went missing from their cases during the couriering of evidence related to a ‘fitness to practise’ case, and have yet to be found. The cases did not show any evidence of tampering.

“It would be nice to think that data breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again,” said David Smith, deputy commissioner at the ICO.

“While many organisations are aware of the need to keep sensitive paper records secure, they forget that personal data comes in many forms, including audio and video images, all of which must be adequately protected.

“The Nursing and Midwifery Council’s underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk. No policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered.”

The Council wouldn’t be drawn into saying whether it would appeal the fine or not, but noted it was disappointed by the ICO’s action. It also claimed its policy did require encryption, despite the ICO’s suggestion there were no rules in place.

“Our policy, in place at the time, required encryption. We received the DVDs from the police unencrypted, but we failed to encrypt them before we sent them on,” the Council said, in a statement sent to TechWeek.